U.S. Cyber Command has been vocal about its new, more assertive operating concept known as “persistent engagement” for the last year, implementing the 2018 Department of Defense Cyber Strategy’s guidance to “defend forward.” The concept is the command’s way to meet adversaries on the everyday battleground of cyberspace below the threshold of conflict and while being active in networks all over the world.
“In this dynamic environment, the United States must increase resiliency, defend forward as close as possible to the origin of adversary activity, and persistently contest malicious cyberspace actors to generate continuous tactical, operational, and strategic advantage," military leaders wrote in a 2018 vision statement.
But is the new philosophy visibly working? Representatives from the threat intelligence industry, who carefully track these behaviors, said it is still too early to tell if Cyber Command’s approach is changing the behavior of adversaries or even private companies in cyberspace.
“Adversaries don’t react necessarily at the drop of a hat," Adam Meyers, vice president of intelligence at CrowdStrike, told Fifth Domain. “When you start thinking about Cyber Command saying that they have a more aggressive posture, certainly I’ve seen reporting around it. I don’t know how effectively we can measure it.”
Meyers said it could be years until changes in behavior are evident, if ever. He attributed this to the obfuscation cyberspace affords.
However, Cyber Command leaders have said they want so-called loud tools that could be attributed to the United States, akin to dropping a bomb from an Air Force B-2.
Moreover, sources have noted how the command’s capabilities directorate in the past few years has looked at the cyber equivalent of parking an aircraft carrier off another country’s coast as a form of power projection.
Meyers said he still hasn’t seen any malware with a U.S. Cyber Command “signing certificate” attached.
Cyberspace is a volatile environment and while activity continues to spike, it can’t all be attributed directly to Cyber Command’s new more assertive approach. Tom Kellermann, chief cybersecurity officer at Carbon Black, has noted a significant increase in destructive attacks.
“I do not draw a correlation between CYBERCOM’s activity and that activity,” Kellerman said. “I just think the environment’s become more punitive, that nation states have created cyber militias acting as proxies and there’s a free fire zone out there right now.”
Given the volatility of the environment, other experts have said that since its creation, Cyber Command has made a difference in behaviors in cyberspace.
“Nobody has identified a significant change to adversary operating behavior due to CYBERCOM. The reason is, and it’s very simple, is that adversaries have always been operating in compromised environments,” Sergio Caltagirone, vice president of threat intelligence at Dragos, told Fifth Domain. “Whether CYBERCOM is coming after you or not, it does not change the fact that they’ve been working to protect themselves against the network defenders since the beginning.”
Caltagirone, added that Cyber Command continues to operate from a disadvantage with few ways to project power or fundamentally change the operating environment.
“The only reason that military forces project power successfully is because they dominate the space, the physical space of the wartime environment. They can’t do that in this space, so they are fundamentally in a … weak [position],” he said.
Cyber Command has described three tiers to its philosophy of persistence: persistent engagement, persistent presence and persistent innovation. Together, the approach is aimed at developing new ways to either disrupt adversary behavior or impose some type of cost to make adversaries think twice before conducting attacks.
While not directly attributing the U.S. government or Cyber Command directly, given insufficient evidence, Meyers did point to an uptick in leaks targeting foreign cyber threat actors.
Other experts added that regular “threat hunting” will eventually force adversaries to change their behavior.
It “forces the adversary to constantly innovate and change methods of operations as we’re seeing currently across advanced threat actors, both nation state sponsored and criminal groups. This includes the adoption of living-off-the-land techniques to disguise adversarial techniques and activities that are legitimate user or network activities,” Israel Barak, chief information security officer at Cybereason, wrote to Fifth Domain.
“Looking forward, we foresee this form of threat hunting will increase the risk in price that adversaries will have to endure to sustain an offensive operation, given the constant need to innovate and create new methods of operation. However, since adversaries are likely aware of many of the defenders hunting techniques, we can expect adversaries to take counter measures, including: creating false attribution by adopting someone else's or another threat groups methods of operation and adopting methods of operation that typical threat hunting techniques do not have visibility into.”
Fifth Domain reporter Andrew Eversden contributed to this report.
Editor’s note: This story has been updated to more accurately describe the relationship between “defend forward” and “persistent engagement.”
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.